Exposing GRU's Unit 74455 "NotPetya" Malware 
Gang - An OSINT Analysis 


URL: linuxkrni.net/ 
IP; 52.45.178.122 - PTR: ec2-52-45-178-122.compute-Lamazonaws.com 
GeolP: 85 US - AS14618 (AMAZON-AES, US} 


URL: linuxkrni.net/ 
IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute-Lamazonaws.cort 
GeolP: 88 US - AS14618 (AMAZON-AES - Amazon.com, Inc., US 


URL: linuxkral.net/ 
IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute- Lamazonaws.com 
GeolP: & US - AS14618 (AMAZON-AES - Amazon.com, Inc, US 


URL: linuxkrni.net/ 
IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute- Lamazonaws.com 
GeolP: 8 US - AS14618 (AMAZON-AES - Amazon.com, linc, US} 


URL: linuxkrni.net/ 
IP: 52.45.178.122 - PTR: ec2-52-45-178-122.compute- Lamazonaws.cor 


178-12 ‘ : 
GeolP: 8 US - AS14618 (AMAZON-AES - Amazon.com, Iinc., US) 


Brace yourselves! 


In this in-depth technical and qualitative OSINT analysis I've decided to 
publicly provide an in-depth peek inside the Internet-connected fraudulent 
and malicious infrastructure of GRU's "NotPetya" malware gang including 
to provide personal photos of some of the gang's members for the purpose of 
assisting U.S Law Enforcement on its way to track down monitor and 
prosecute the cybercriminals behind these campaigns. 


Sample Cyber Attack campaign names: Sandworm Team, Telebots, 
Voodoo Bear, Iron Viking. 


Sample personal photos of the FBI's Most Wanted GRU Unit 74455 
"NotPetya" malware gang members: 


Sample malicious attachment: Qui peut parler _aux_journalists.docx 
Sample personal email address accounts known to have been involved 
in the campaign: 


olympicgameinfo@gmail.com 
alert.safekorea@gmail.com 
nctc.go@gmail.com 


Sample C&C (Command and Control) server domain known to have 
been involved in the campaign: 

hxxp://msrole.com - 52.45.178.122 - 

hxxp://acledit.com/3 gJw/2eH 1 eL/cQ6.zip/?4ft=XcF3 DnwktjA4IrcxT2I= 


Sample malicious MD5 known to have been involved in the campaign: 
MDS: 77089c094c0f2c15898ff0f02 1945148 

Sample name servers known to have been involved in the campaign: 
hxxp://ns1.msrole.com - 27.102.102.30 

hxxp://ns2.msrole.com 


Sample Maltego graphs: 
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Related malicious and fraudulent domains known to have been involved 
in the campaign: 
hxxp://abs.twitter.com.webapp.workbench.run 
hxxp://abv.bg.login-site.online 
hxxp://accounts-updates.club 
hxxp://accounts.ukr.net.checklogin.fbapp.info 
hxxp://accounts.ukr.net.checklogin.updatenote.net 
hxxp://accounts.ukr.net.checklogin.userarea.click 
hxxp://accounts.ukr.net.fbapp.info 
hxxp://accounts.ukr.net.updatenote.net 
hxxp://accounts.ukr.net.userarea.click 
hxxp://algemene-controle.online 
hxxp://beststreammusic.com 
hxxp://bg.fbapp.info 
hxxp://bg.login-site.online 
hxxp://bg.userarea.click 
hxxp://center.cmdswitch.xyz 
hxxp://checklogin.login-site.online 
hxxp://cn.beststreammusic.com 
hxxp://com.webapp.workbench.run 
hxxp://cpanel.fairfieldsch.org 
hxxp://dns.thehomeofbaseball.com 
hxxp://e.mail.ru.settings.fbapp.info 
hxxp://escochartzone.com 
hxxp://facebook.com.webapp.workbench.run 
hxxp://fastfilmsbucket.com 

hxxp://fbapp.info 

hxxp://fontdrvstore.com 
hxxp://free24player.com 
hxxp://georgia-travel.org 
hxxp://google-account-settings.spdup.art 
hxxp://google-moogle.spdup.info 


hxxp://google-settingsapi.fbapp. link 
hxxp://hostmaster. fbapp.info 
hxxp://hostmaster.jazzradiostream.com 
hxxp://hs126.tamsimail.com 
hxxp://hs157.tamsimail.com 
hxxp://jazzradiostream.com 
hxxp://laerka.supplrald.com 
hxxp://liveserviceonedrive.com 
hxxp://login-site.online 
hxxp://login-yahoo.fbapp. link 
hxxp://loungecinemaclub.com 
hxxp://luxefighting.net 
hxxp://m.facebook.com.webapp.workbench.run 
hxxp://mail.algemene-controle.online 
hxxp://mail.bg.fbapp.info 
hxxp://mail.bg.login-site.online 
hxxp://mail.bg.login.photography 
hxxp://mail.bg.userarea.click 
hxxp://mail.eservicesystems.net 
hxxp://mail.fairfieldsch.org 
hxxp://mail.linuxkrn1.net 
hxxp://mail.liveserviceonedrive.com 
hxxp://mail.regvirt.com 
hxxp://mail.suncommunications.org 
hxxp://mail.topcinemaclub.com 
hxxp://mckinseyandco.com 
hxxp://mimecastverified.com 
hxxp://moderntips.org 
hxxp://mta-s1-151.tamsimail.com 
hxxp://mta20.r1.tamsimail.com 
hxxp://mta301.tamsimail.com 
hxxp://mta303.tamsimail.com 
hxxp://mta32a.tamsimail.com 
hxxp://mta337.tamsimail.com 
hxxp://mta440.tamsimail.com 
hxxp://mta447.tamsimail.com 
hxxp://mta624.tamsimail.com 
hxxp://mta676.tamsimail.com 
hxxp://mta678.tamsimail.com 
hxxp://mta698.tamsimail.com 
hxxp://mta770.tamsimail.com 
hxxp://mta873.tamsimail.com 
hxxp://mta884.tamsimail.com 
hxxp://mta891.tamsimail.com 


hxxp://mta900.tamsimail.com 
hxxp://mta913.tamsimail.com 
hxxp://mta925.tamsimail.com 
hxxp://mta929.tamsimail.com 
hxxp://mta932.tamsimail.com 
hxxp://my-photo-service.com 
hxxp://my.idnn.asia 
hxxp://myaccount.click 
hxxp://narrowpass.net 
hxxp://networkcentrals.com 
hxxp://nmail.regvirt.com 
hxxp://noadsplayer.com 
hxxp://ns1.checklogin.in 
hxxp://ns1.treepastwillingmoment.com 
hxxp://ns2.checklogin.in 
hxxp://ns2.treepastwillingmoment.com 
hxxp://ns2.userzone.one 
hxxp://ovhsec.com 
hxxp://passengerco.com 
hxxp://passport.abv.bg.fbapp.info 
hxxp://passport.abv.bg.userarea.click 
hxxp://photosyncdrive.com 
hxxp://politicweekend.com 
hxxp://poolpartyrecords.com 
hxxp://protonhardstorage.com 
hxxp://redsample.net 
hxxp://regvirt.com 
hxxp://relay.soft-storage.com 
hxxp://remotepx.net 
hxxp://renodesmart.com 
hxxp://sarmsoftware.com 
hxxp://securitylogagent.com 
hxxp://server3 1743.com 
hxxp://smtp.truefashionnews.com 
hxxp://sportever.org 
hxxp://static.facebook.com.webapp.workbench.run 
hxxp://store.soligro.com 
hxxp://support-cloud.life 
hxxp://syslog.acledit.com 
hxxp://thissubdomainshouldonlyresolveifwildcard.liveserviceonedrive.com 
hxxp://time-2t-time.com 
hxxp://timezone0.com 
hxxp://travelerupdate.com 
hxxp://truefashionnews.com 


hxxp://twitter.com.checklogin.in 
hxxp://twitter.com.webapp.memcached.in 
hxxp://ukr.net.fbapp.info 
hxxp://utc2Itc.com 
hxxp://webapp.workbench.run 
hxxp://webdisk.fairfieldsch.org 
hxxp://webmail.fairfieldsch.org 
hxxp://wgzhk.dns15.bid 
hxxp://worldimagebucket.com 
hxxp://wp.soligro.com 
hxxp://ww1.fbapp.info 
hxxp://ww12.fbapp.info 
hxxp://ww25.fbapp.info 
hxxp://ww43.fbapp.info 
hxxp://activityduringhistoricaloffice.com 
hxxp://adobeincorp.com 
hxxp://aeroservicemax.com 
hxxp://akamaisoftupdate.com 
hxxp://akulaku.tutooliv.club 
hxxp://algemene-controle.online 
hxxp://bbcweather.org 
hxxp://beststreammusic.com 
hxxp://checkmalware.info 
hxxp://daysheduler.org 
hxxp://escochartzone.com 
hxxp://facebook.com.webapp.workbench.run 
hxxp://fairfieldsch.org 
hxxp://faststoragefiles.org 
hxxp://fbapp.info 
hxxp://fundseats.com 
hxxp://globaltechengineers.org 
hxxp://hostapp. link 
hxxp://iboxmit.com 
hxxp://liveserviceonedrive.com 
hxxp://mdcrewonline.com 
hxxp://moldtravelgroup.com 
hxxp://narrowpass.net 
hxxp://nethostnet.com 
hxxp://networkcentrals.com 
hxxp://newstyleradio.net 
hxxp://ovhsec.com 
hxxp://photosyncdrive.com 
hxxp://politicweekend.com 
hxxp://powernoderesources.com 


hxxp://regvirt.com 
hxxp://sarmsoftware.com 
hxxp://scalingreserve.com 
hxxp://truefashionnews.com 
hxxp://updatesystems.net 
hxxp://urlweb.dslbd.xyz 
hxxp://userarea.click 
hxxp://userarea.top 
hxxp://userzone.one 
hxxp://virm.xtrmp3.site 
hxxp://virtsvc.com 
hxxp://webcache.one 
hxxp://workbench.run 
hxxp://worldimagebucket.com 
hxxp://x-tools.tech 
hxxp://wwwco4testmcsoft.com 
hxxp://zeroslitecarb.com 
hxxp://zfmceg.dns15.bid 


Sample screenshots of known C&C (Command and Control) domains: 


Related personal email address accounts known to have been involved 


in the campaign: 


p.henningsson@centrum.cz 
milimil0702@mail.com 
amandabuilderama@mail.com 
hiepgp.bn@gmail.com 
romer@mail.com 
arik@hostar.org 
dr.x@europe.com 

JawdahK oury@tutanota.com 
presmike2034@msn.com 


kingston_trevino@protonmail.com 


pol.michael@post.com 
ben.grochot@tdfs.com 
joaquin garcia@gmx.ch 
andre roy@mail.com 
bolekrejci@centrum.cz 
iflatley@openmailbox.org 
mikalay@icloud.com 
jada.okeefel 5@mail.com 
manuel.herez@centrum.cz 
olivier_servgr@mail.com 
colemanmail@mail.com 
lucasbenson@europe.com 
rgrey@tutanota.com 
tarob999@outlook.com 
mahuudd@centrum.cz 
pearliestehr@airmail.cc 
ysrb@outlook.com 
hr.jagdeep@gmail.com 
erick _bolton@protonmail.com 


yyb_enjoy@126.com 
ken@m4v.me 
rickey.gevers@gmail.com 
tarob666@outlook.com 
declan.jefferson@sapo.pt 
ysrb.riady@gmail.com 
contact_r.zeteny@keemail.me 
pravich83@gmail.com 
qq5598002@gmail.com 
leila77@cock.li 
klaoja@cock.li 
loisoji@firemail.cc 
rvanholsted@yahoo.com 
ulli_ neu80@mail.com 
ma_picarlo@centrum.cz 
mattew.barnes@aol.com 
trajboj@centrum.cz 
softmainnew@yandex.com 
gerpsz@airmail.cc 
gabrielromao@sapo.pt 


Related malicious and fraudulent C&C (Command and Control) 
domains known to have been involved in the campaign: 


hxxp://1007.net 
hxxp://acledit.com 
hxxp://adobeincorp.com 
hxxp://aeroservicemax.com 
hxxp://akamaisoftupdate.com 
hxxp://appservice.site 
hxxp://appservicegroup.com 
hxxp://autoupdater.org 
hxxp://beststreammusic.com 
hxxp://bestweddingparty.org 
hxxp://bg-abvmail.pw 
hxxp://busseylawoffice.com 
hxxp://cdnmsnupdate.com 
hxxp://cdnverify.net 
hxxp://checkmalware.info 
hxxp://ciscosupports.com 
hxxp://conflictzone.info 
hxxp://dancemusicstream.com 
hxxp://dateosx.com 
hxxp://daysheduler.org 


hxxp://dncevotebuilder.com 
hxxp://doorbehindentirerelationship.com 
hxxp://escochart.com 
hxxp://escochartzone.com 
hxxp://eservicesystems.net 
hxxp://esetsmart.org 
hxxp://eu-office365.top 
hxxp://experiencewithweakkid.com 
hxxp://familynearbysuitablenumber.com 
hxxp://faststoragefiles.org 
hxxp://fbapp.info 
hxxp://fbapp.top 
hxxp://focdn.store 
hxxp://fundseats.com 
hxxp://funnymems.com 
hxxp://genericnetworkaddress.com 
hxxp://georgia-travel.org 
hxxp://globaltechengineers.org 
hxxp://groupsincevisibleend.com 
hxxp://hostapp.art 
hxxp://hourduringstrictsense.com 
hxxp://ikmtrust.com 
hxxp://info-update-otlk.com 
hxxp://kenlynton.com 
hxxp://linuxkrnl.net 
hxxp://loungecinemaclub.com 
hxxp://malwarecheck.info 
hxxp://mdcrewonline.com 
hxxp://meteost.com 
hxxp://microsofi.org 
hxxp://microsoftupdated.com 
hxxp://ministernetwork.org 
hxxp://miropc.org 
hxxp://moderntips.org 
hxxp://moldtravelgroup.com 
hxxp://msfontserver.com 
hxxp://msrole.com 
hxxp://mvband.net 
hxxp://mvsband.com 
hxxp://mvtband.net 
hxxp://myinvestgroup.com 
hxxp://mysent.org 
hxxp://nanetsdeb.com 
hxxp://naoasch.com 


hxxp://narrowpass.net 
hxxp://ndsee.org 
hxxp://newfilmts.com 
hxxp://ntpstatistics.com 
hxxp://onedrive-jp.com 
hxxp://pandorasong.com 
hxxp://placeuntilknownparent.com 
hxxp://politicweekend.com 
hxxp://powerpolymerindustry.com 
hxxp://protonhardstorage.com 
hxxp://rapidfileuploader.org 
hxxp://rdsnets.com 
hxxp://reasonwithusefulpolicy.com 
hxxp://regvirt.com 
hxxp://reservecorpind.com 
hxxp://rpcnetconnect.com 
hxxp://sarmsoftware.com 
hxxp://schooltillhungryprocess.com 
hxxp://sdhjjekfp4k.com 
hxxp://secnetcontrol.com 
hxxp://servicetlnt.net 
hxxp://softwaresupportsv.com 
hxxp://soligro.com 
hxxp://spdup.art 
hxxp://ssl-mircosoft.com 
hxxp://star4vn.net 
hxxp://streetunderrelevantpeople.com 
hxxp://suncommunications.org 
hxxp://support-cloud.life 
hxxp://systembeforeniceparent.com 
hxxp://tablebeforehelpfulperson.com 
hxxp://thehomeofbaseball.com 
hxxp://topcinemaclub.com 
hxxp://truefashionnews.com 
hxxp://um 10eset.net 
hxxp://unigymboom.com 
hxxp://updatepc.org 
hxxp://updatesystems.net 
hxxp://utmserver.com 
hxxp://virtsve.com 
hxxp://visualrates.com 
hxxp://viters.org 
hxxp://webstp.com 
hxxp://westmedicalgroup.net 


hxxp://windowsdefltr.net 
hxxp://workbench.run 
hxxp://worldimagebucket.com 


Related malicious and fraudulent C&C (Command and Control) 
domains known to have been involved in the campaign: 


hxxp://sarmsoftware.com 
hxxp://protonhardstorage.com 
hxxp://onedrive-jp.com 
hxxp://google-maps.us 
hxxp://scatteredsecrets.com 
hxxp://ip-phishing.com 
hxxp://adobeincorp.com 
hxxp://msfontserver.com 
hxxp://hineted.com 
hxxp://lovebluesky.com 
hxxp://hineter.com 
hxxp://psrrange.com 
hxxp://ikmtrust.com 
hxxp://citizenpolicenetwork.com 
hxxp://keatontax.com 
hxxp://michaelspontak.net 
hxxp://softwaresupportsv.com 
hxxp://reslocks.com 
hxxp://mvsband.com 
hxxp://vote4mike.net 
hxxp://rmndversion.net 
hxxp://michaelspontak.com 
hxxp://reslocksmith.com 
hxxp://meadowhillbaptist. org 
hxxp://faststoragefiles.org 
hxxp://spontakfamily.com 
hxxp://okolonabaptist.org 
hxxp://mydateapp.net 
hxxp://ckswebmanagement.com 
hxxp://reservecorpind.com 
hxxp://miropc.org 
hxxp://citizenpoliceacademynetwork.com 
hxxp://blogbymike.com 
hxxp://cksbusiness.com 
hxxp://generalsecuritycorp.org 
hxxp://newfilmts.com 
hxxp://naoasch.com 


hxxp://myinvestgroup.com 
hxxp://euronews24.info 
hxxp://damagedchristian.net 
hxxp://webstp.com 
hxxp://cksweb.net 
hxxp://damagedchristian.com 
hxxp://healthkeeping.org 
hxxp://taxprepcompany.org 
hxxp://akamaisoftupdate.com 
hxxp://citizen-police-academy.org 
hxxp://rpcnetconnect.com 
hxxp://citizen-police-academy.net 
hxxp://psrrange.org 
hxxp://psrrange.net 
hxxp://cvssucks.net 
hxxp://ckswebhosting.com 
hxxp://citizen-police-academy.com 
hxxp://meteost.com 
hxxp://cks-security.com 
hxxp://nanetsdeb.com 
hxxp://psr-range.com 
hxxp://church-web-ad.com 
hxxp://cvssucks.biz 
hxxp://psrrange.biz 
hxxp://checkwinframe.com 
hxxp://exitinterview-themovie.org 
hxxp://soligro.com 
hxxp://cksweb.org 
hxxp://secnetcontrol.com 
hxxp://michaelspontak.space 
hxxp://testsnetcontrol.com 
hxxp://true-church.net 
hxxp://citizenpoliceacademynetwork.net 
hxxp://true-church.com 
hxxp://church-network.com 
hxxp://cooperchurch.org 
hxxp://ndsee.org 
hxxp://ministernetwork.net 
hxxp://ithatepolice.net 
hxxp://spontakfamily.net 
hxxp://ministernetwork.com 
hxxp://spontakfamily.org 
hxxp://appservicegroup.com 
hxxp://ckswebhost.net 


hxxp://tax-prep-company.com 
hxxp://eurosatory-2014.com 
hxxp://link-google.com 
hxxp://ntpstatistics.com 
hxxp://googlesetting.com 
hxxp://ya-support.com 
hxxp://evrosatory.com 
hxxp://esetsmart.org 
hxxp://set121.com 
hxxp://us-westmail-undeliversystem.com 
hxxp://us-mg7mail-transferservice.com 
hxxp://virtsvc.com 
hxxp://changepassword-hotmail.com 
hxxp://changepassword-yahoo.com 
hxxp://product-update.com 
hxxp://academl.com 
hxxp://dateosx.com 
hxxp://software-update.org 
hxxp://malwarecheck.info 
hxxp://update-hub.com 
hxxp://soft-storage.com 
hxxp://ministernetwork.org 
hxxp://bulletin-center.com 
hxxp://rdsnets.com 
hxxp://globaltechengineers.org 
hxxp://as23-updater-symantec.org 
hxxp://um 1 0eset.net 
hxxp://microsoftupdated.com 
hxxp://cdnverify.net 
hxxp://mamutmaill.com 
hxxp://conflictzone.info 
hxxp://trafficdirectsystem.biz 
hxxp://mybit.pro 
hxxp://mybtc.pro 
hxxp://socks.pm 
hxxp://rentin.asia 
hxxp://autoupdater.biz 
hxxp://autoupdater.org 
hxxp://drones.rent 
hxxp://xmpp.o0o 
hxxp://isocks.pro 
hxxp://microdice.in 
hxxp://ipcheck.pro 
hxxp://dateless.pro 


Related malicious MD5s known to have phoned back to the same C&C 
server domains: 


0062ece42577b94119f4e128ed77a89aa26db206ab77a3cdaf98dcSceclbc2b6 
01da20243c26cd677339c978274776d33 1b0b2387cdb085527b7f7b68fclac5 
9 

0860f29226069a732f988cb70ea6d5 1057d204d42 1bb709b8e759376b0c4d2 
01 

Obe57d1244 fefc679feb7aa9996e53948 | be7b8£4c92468 17 £8 1 caa8ce2f6 1a57 
0d260a4ea865773a86b3 fc0fe89df92c86289c0266b | dd5ab8e3 174839cb94c 
2, 

102b0158bcd5a8b64de44d9f765 193dd80df1504e398ce52d37b7c8c33f2552 
a 

12e171291f0deae69509a6ef2220cd9e0bI9ed0e3 e865 | £33824fc627612be055 
1370b849 1829178c260f4 17623 192c18f18779d7 1149c9a8786fa4dd79c5632 
5 

17234284al e98e8350ec6ab7 f5998b53d130495473945483b967e3dc900725 
Oc 

2005bbb82a8b2b4744 1 88be5 8ef5b3892ca4af920bc645el £334b2ae62a2662 
4 

29cc2e69f65b9ce5 fe04eb9b65942b2dabf48e4 1 770f0a49eb69827 1b99d2787 
2¢81023a146d2b5003d2b0c61 7ebf2eb1501dc6e55fc6326e834f05f5558c0ec 
2cea2al f53dac3 f4fffl S6eacc2ecc8e98b 1ab64f0f5Sb5ee 1042069d9a226c55c 
33c187cfd9e3b68c3089c27ac64a5 1 9ccc95 lecb3c74d75179c520f54f1 1£647 
378ef276eceaa4a29dab46d114710fc14ba0a9f964f6d949bcbc5ed3267579892 
37f15647c26d475db805048d6592aal1 53533ac5f4373 145c75e24012a5 lad9f 
8 

42ed4ab65535ae382ed00a954a564bd13ac7773 1311400378 af90bce2a46352 
1 

45540fe0890bd5063fe2c464efd554e0e1 19d8501cc57cbec7e3577a9bb33a22 
48264394ab80a932b9df7520e8ec57e68a652c0302f8a8a5ac2d1321b9a3c84 
e 

48al bd2f7ee85e9676c4ecea0b353ecda2f5 83 fbd72ced688af660fe8 fdf34bbe 
59070257ff9289683876d19678267f5b9449ce0884fa59e55cfdc60f9df2f4 1c 
5a02d4e5f6d6a89ad4 1554295 114506540f0876e7288464e4a70c9ba5 1d24f1 
2. 

5f6b2a0d1d966fc4f1ed292b46240767 f4acb06c13512b0061b434ae2a692 fal 
62e33f4126d58ac36ea0e75 102d36eae929ce2 1 0da80ead2 10342d2d9 lafb03 
b 

634795a3acbae8964bb3 1 e3ebed7£29208844978a5 1 2fc26a8b9a5 1901 f9cab9 
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